Install + Configure WordPress Varnish Cache 3 Firewall

Varnish is the rock solid reverse proxy. It’s a web accelerator that serves your web pages as static content instead of serving PHP pages. Varnish also has a firewall component thanks to some vmods which have been integrated by comotion to provide a Web Application Firewall to protect your WordPress site or any other web site. A variety of attacks can be prevented like XSS, SQL injection, terminal command execution and other security vulnerabilities.

Varnish analyzes http packets very quickly so there is very little overhead on my Digital Ocean 512 MB VPS which this web site runs on. Even though Varnish 3 is end of life, many users may not have migrated to Varnish 4 or 4.1. I have run tests with Varnish 4 and 4.1 and a guide is prepared for that when the tests are complete. This WordPress Varnish Cache 3 firewall guide assumes you are using a Debian or Ubuntu system but the technique will work on any distro.

The Varnish 3 firewall integrates a lot of rules from the popular modsecurity web application firewall. You will see how to integrate the Varnish firewall rules into your VCL so you can configure the protection for your WordPress or other site. WordPress has a ridiculous market share so it is a prime target for attackers, protecting it is critical.

Attention: this should be tested thoroughly on a development environment

It is highly recommended to use a plugin to remove query strings from css and js files like Zend Speed Query

Install WordPress Varnish Cache 3 Firewall

I will assume you already have Varnish 3 installed and configured using this guide, in which case you only need to add the source repository if you don’t already have it and update the repository cache

The next 4 lines are for 32-bit only, this is because Varnish decided to stop compiling packages for 32-bit systems with the last version being 3.0.2, however when you build from source for the vmods you will get the final Varnish 3 version 3.0.7.

Configure Varnish 3 Firewall

In Varnish default.vcl add this line immediately after your sub vcl_rcv section’s last curly bracket. If you want added security you can add the include line before sub vcl_recv begins but you may get some false positives.

} # sub vcl_recv ends
include "/etc/varnish/security/vsf.vcl";

Test your Varnish firewall configuration will load

varnishd -C -f /etc/varnish/default.vcl

If you see any errors you will need to fix them, I had to uncomment throttle and shield because the vsf.vcl already includes them for DDoS protection.

#import throttle;
#import shield;

Test your configuration again and if it succeeds reload Varnish to enable the web application firewall

sudo service varnish reload

Testing Varnish 3 Firewall

You should monitor any requests that may be caught as false positives by using varnishlog

varnishlog -c -m VCL_Log:

You are welcome to test out different XSS and SQL injection attacks now

You can test a WordPress SQL injection attack like this and see that Varnish firewall prevents it

Archives

Archives

DISCLAIMER

The information on HTPC Guides is for educational purposes and only condones obtaining public domain content. HTPC Guides is not responsible for content from any other site or provider. By using the links provided on this site you agree that neither this site nor its proprietor is in any way responsible for any damages or liability arising from use of external content.

Copyright

The information on this site is the intellectual property of the owner. Credit to other sources is provided where relevant. If you believe any information has not been sourced, please leave a comment and appropriate action will be taken.